Microsoft’s twice-yearly Blue Hat hacker summit, running Oct. 26-27, will kick off later this week with a demo of a virtual machine rootkit that can potentially be used to defeat the controversial PatchGuard technology.
Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsoft’s Redmond, Wash., campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intel’s VT-x virtualization extension.
Zovi, an expert on exploitation techniques, 802.11 wireless attacks and operating system kernel security, will demo the rootkit at the conference, to which select members of the hacking community are invited to brainstorm security issues with Microsoft employees and executives.
The Vitriol presentation is an expansion of a talk given by Zovi (here as a PDF) at the Black Hat Briefings in Las Vegas in August, and will include a technical explanation of how Intel’s VT-x extensions can allow malicious hackers to install a “rootkit hypervisor” that invisibly runs the original operating system in a virtual machine.
Zovi plans to demonstrate how the Vitriol rootkit can migrate a running operating system into a hardware virtual machine on the fly and install itself as a rootkit hypervisor. The malicious code becomes inaccessible to the operating system, maintaining stealth and controlling access to the malware.
Microsoft officials declined to comment on the Blue Hat schedule. According to sources familiar with the company’s plans, Blue Hat v4 will feature a roster of well-known white hat researchers specializing in OS kernel hardening, database security and application threat modeling.
The source said the company is looking for “new faces” to talk at the two-day event. Researchers who made presentations at Blue Hat v3 in March 2006 are being invited back as attendees.
At the Spring 2006 sessions, the roster of presenters included database security experts David Litchfield and Alexander Kornbrust, Web applications security researcher Caleb Sima, Metasploit founder HD Moore and reverse engineering guru Halvar Flake.
Moore, Flake and Kornbrust said they will not be attending the sessions this week.
To read more about Microsoft’s Blue Hat hacker summits, click here.
Zovi’s virtual machine rootkit presentation comes on the heels of a Black Hat demo by stealth malware researcher Joanna Rutkowska of Blue Pill, new technology that is capable of creating malware that remains “100 percent undetectable,” even on Windows Vista x64 systems.
Rutkowska’s Blue Pill prototype uses Advanced Micro Devices’ SVM/Pacifica virtualization technology to create an ultrathin hypervisor that takes complete control of the underlying operating system.
Rutkowska, who also showed off a way to defeat the device driver signing requirement in Windows Vista, told eWEEK she has never been invited to speak at Microsoft’s Blue Hat.
Microsoft’s own Cybersecurity and Systems Management Research Group has also created a proof-of-concept rootkit called SubVirt that exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.